security, encryption, and healthcare

[Carlos Macedo Gomes]

I'll throw my $0.02 on this debate of certification/degree vs hands on
training.  I don't agree w/ everything that JMZ has said, but his
statement about the **potential** bifurcation of the field into "web
hacker" and "trained career engineers: and how that plays out in
"trust in the workplace" does resound with me and what with what I've
seen in my career.

I also fear that contemporary individuals (i.e., techies)
inadvertantly assume a certain level of long term career risk in not
properly establishing a personal **strategy** for "professional
training & development" and in doing so are investing too much of
their intellectual capital into the "learning on the job" category of
learning.  The risk with this type of learning is that it is
susceptible to "marketplace amnesia" (at best) or "inbreeding of bad
ideas" (at worst) created by the "hottness" of the IT sector.  This is
true in most IT fields and very, very true in Information Security.

Folks working for a long time in IT and Computer Science understand
that the baby rarely gets thrown out with the bath water.  Take a look
at networking protocols starting in the early 70s with Ethernet and
follow through today to ATM on the WAN and 802.11 in radiowaves.  Like
the venerable Moore's Law we seem to keep squeezing out more and more
functionality out of very similar IT infrastructure of the last
several decades.  I'm not sure if we'll ever see a change in this
process but I'm not sure if the current marketplace passion with
enumerate and patch (especially in IT Security) is going to get us out
of this hole anytime soon (see #2 in the following):
http://www.ranum.com/security/computer_security/editorials/dumb/

Quick background on me:
Information Security Specialist (full time) at a Fortune 50 organization
Adjunct Instructor for Computer Crime and Investigations at ITT Tech
BS Computer Engineering, '96 Texas A&M University
MS in Information Assurance, '08 (expected) Norwich University
ISC^2 CISSP, ISACA CISM, GIAC GCFW, GIAC GCFA

All the above said, I believe that some (and possibly many) can learn
and do learn more from hands on learning than from book learning.  I
know I did via student jobs in college and later using what I learn
immediately at work.  I also teach at ITT Tech part time and see the
need for hands on education and training (especially with the
changes/pressures in the US workforce due to challenges and
opportunities of globalization).  Also, a couple of my best friends
bailed early (w/ a semester or two left to graduate) on engineering
degrees from Texas A&M in the early 90's to chase startups and they
are very, very bright fellows still actively doing work in startups
and consulting.  Nothing wrong with that path if you take into account
the long-term, strategic risks I mentioned above.

I think Blain Burham said it best in this interview from Vol 1 Issue 1
of the NUJIA:

<snip>
NUJIA: How does the historical perspective affect the curriculum?

Have you heard about security-aware applications? How about trusted
databases? What is involved in developing very high assurance
solutions?

If you look at what was going on in the early days such as MULTICS in
the early late 1960's and early 1970s, we knew a lot about this
stuff.[8] We have suffered from a collective amnesia for about 30
years and have forgotten a good deal of it. For instance we based
MULTICS on a ring architecture and then 25 years later we're all
excited about defense in depth. Sure, it's good, but it isn't new.

Another interesting "new" emphasis is intrusion prevention; for
example, we've been working on keeping bad guys out using firewalls
and the like, but now we're looking at limiting the damage that bad
guys can do when they get in. This is simply rediscovering the
reference monitor. I have trouble calling an idea that's more than
three decades old "new."

I think that one of the roles of the university is to identify the
foundational ideas that are just as serviceable now as when they were
formulated. We have the obligation of healing the amnesia. We have to
be sure that those foundational ideas are revisited, used and
revitalized so that we don't miss out on fundamentals. Particularly in
the case of information security the intervening years have, by and
large, not brought forth knowledge, understanding, or experience that
has improved on that foundational knowledge. Put a bit differently, we
used to know how to do this business – and it worked. We also made
mistakes. We need to recover that knowledge and the benefits of the
experience of the mistakes. It appears that the university bears the
principle responsibility for recovering and conveying this
foundational knowledge. It certainly isn't happening in the
marketplace.

I'm concerned that much of the curriculum we're teaching is tactical –
how to deal with the current technology and today's problems but not
conveying the fundamentals that would allow people to build
high-assurance systems. In our foundations course, we read Ross
Anderson's book[9], Bruce Schneier's Secrets and Lies[10], and many
(about 40) wonderful papers including "The Inevitability of
Failure.[11]" and Schell's "Information Security: Science,
Psuedoscience, and Flying Pigs.[12]
</snip>

The full interview and other articles can be found below:
http://nujia.norwich.edu/1_1/i01v01kabay.pdf

ymmv,
C.G.

On 2/28/07, Joshua Zeidner <jjzeidner at gmail.com> wrote:
>  Joseph,
>
>    In response to your comments below... there are many problems with
> an 'uncredentialed security expert'.  Many of these problems extend to
> non-security disciplines as well.  Essentially, it comes down to
> trust.  And this hypothetical person has absolutely nothing at stake,
> he could completely screw things up and what does he have to lose?  He
> most likely picked up a few books, tooled around on his(or her) linux
> box for a while, and started talking the talk... if someone didn't
> even make the basic effort to get a degree in the discipline, I( and
> many others ) have a very hard time being convinced of their sincerity
> and credibility.  The typical fact is that they don't have any, they
> jump into something because they see a hot salary, they fake it for as
> long as it makes sense, and then jump ship into something else or go
> start a rock band.  This group will in turn run themselves ragged
> chasing after each and every technology trends that comes along.
> These trends are getting more and more ridiculous and rapid every
> quarter, and the investment one must make in keeping up with them( at
> a personal or department level ) is way too expensive for the value
> they may provide.  I just stay away from this crowd, they will just
> run themselves down eventually.  These folks will not only destroy
> their own careers, but they will ruin a department, website , etc. as
> well.
>
>   Although I am sure many here want to cover for their buddy who never
> managed to get a degree, or perhaps they don't have one themselves...
> but the fact is that if you are dedicated to the field, you have to
> show the effort. I've worked with a person in the recent past who
> fancied himself a security expert who loved to rant off about
> honeypots and tcp-ip stacks, but none of these little factoids he
> picked up have any grounding in experience, and there is no particular
> reason why anyone would want to take him seriously.
>
>   Even those who jumped in the mix during the 90s from other fields...
> I still find them to be lacking in the basic skills of development.
> As the job market continues to shrink, believe me those people without
> BS CS on their little piece of paper will be sifted out, especially if
> labor regulations are introduced.  In the recent past the CS field had
> enough of a vacuum in the market to allow for these types of people,
> but the economics of the current situation are turning it into a field
> just like any other; you have to go and get someone to give you a
> piece of paper that says you have knowledge of this field.  If you do
> have experience and no degree, I would suggest making plans to get
> one.  I'm certainly noticing that these groups are becoming stratified
> into the 'web hacker' people and the trained career engineers.  When
> push comes to shove and the DOL has to make a decision about who to
> help, who do you think will make the cut?
>
>   -jmz
>
>
> On 2/28/07, Joseph Sinclair <plug-discussion at stcaz.net> wrote:
> > I have to say, I don't agree with much of JMZ's view.
> >
> > It is entirely possible to work in security without an advanced degree and without academic experience.  The academics are needed if you're designing new algorithms, but most security work is designing and implementing security subsystems and auditing software for security concerns.  It doesn't take major mathematics to do that (unless you're implementing an encryption algorithm, something almost never done in practice), you just need a good strong detail-oriented focus, a strong systems-design skills, and a touch of paranoia, since everyone misses something in this field.
> > Will healthcare tie into security, absolutely, although HIPAA defines requirements, the implementation of those requirements leaves a lot of room for software, and policy, innovation.  I don't think you'll find your math skills greatly used, however, unless you decide to do some work on one of the open-source encryption systems cross checking the algorithm implementations or something similar.
> >
> > Regarding the value of a degree, I've worked with incredibly skilled people who have no degree, and I've worked with incredibly incompetent people with a PhD, most people are somewhere between those two extremes.
> > The degree matters to an extent (and more education is generally a good thing), but the character and qualities of the person who earned the degree always matters far more than the degree itself.
> >
> > The "baby boom" generation (born 1946-1964) is statistically much larger than the generations born in the 20 years prior or the 20 years following.  They also reproduced at a lower rate than their parents (average < 2 children/couple, net loss of population).  In fact the primary reason the US population continues to grow is immigration, but that can't change the fact that the average age of US residents is rising (see http://www.census.gov/ipc/www/usinterimproj/natprojtab02a.pdf)
> > That said, the "graying" of the population is somewhat exaggerated (even in 2050 the census predicts that only ~21% of the population will be over 65), of course the projections to 2070, are somewhat more extreme, but they're also not statistically reliable.
> > The problem that arises in that to pay social security for that 21% (vs. the 12% today) the working 42% (vs. 52% today) will have to pay around 40% of their income under the current social security model (3 times the current amount), and the economy wouldn't be able to support that.
> > The solutions are well known, and there's no doubt they'll work, the problem is that they're not completely intuitive, and they reduce the power of the government, something many government officials don't like (they want more power, not less).  Also, everyone in Congress is deathly afraid of changing Social Security for fear of upsetting some very powerful lobbies in DC (AARP being chief among them)
> > Healthcare for the elderly isn't likely to have a huge economic impact. Lifestyle medicine, such as psychiatric treatments, sleep-aids, and ED drugs (mis)used as enhancers, has a much larger impact and is driving much of the current growth in healthcare.
> >
> > As far as bubbles go, energy is a good current candidate, as is materials science.  It may be another year or so before the next bubble is really clear, but it probably won't be healthcare, that's more likely to hit in 2017, if ever.
> >
> > As for socialized healthcare, if you want to know what that's like, just look at France, or England.  Both have had socialized healthcare for some time (to varying degrees), and it's very eye-opening to see what the result of that has been.  If you want someplace closer to home, look at Canada, and ask yourself why so many wealthier Canadians cross the border to US hospitals for treatment each year.
> >
> > Sorry for the long rambling post, I wanted to try to cover all of your points (including some earlier items).
> >
> > Josh Coffman wrote:
> > > I don't know that having the BS helped me or not after I had a few years of experience.
> > > It sounds like a BS alone isn't enough to be taken seriously in Security. Dont really know.
> > >
> > > It is my understanding that the Baby Boomers were called such because they were a big population jump following ww2.
> > >
> > > I think nationalized (aka socialized) healthcare has more issues than population changes.
> > > Personal opinion, but I'd trust a collective influence of individual decisions more than a centralized generalization by a few pushing influence
> > > over the rest of a society. Stated another way, I trust my own opinions for my own life and my family's rather than handing it over to someone
> > > in DC who doesn't know me and only really cares for continuing their pay and power with no responsibility.
> > >
> > > Admittedly, both ways have their issues.
> > >
> > > -j
> > >
> > >
> > > ----- Original Message ----
> > > From: Joshua Zeidner <jjzeidner at gmail.com>
> > > To: Main PLUG discussion list <plug-discuss at lists.plug.phoenix.az.us>
> > > Sent: Tuesday, February 27, 2007 1:16:15 PM
> > > Subject: Re: security, encryption, and healthcare
> > >
> > > On 2/27/07, Josh Coffman <josh_coffman at yahoo.com> wrote:
> > >> Excellent, Josh!
> > >> Guessing my Math B.S. doesn't get me anywhere, and I'd understand that.
> > >> It's just a B.S.; and I was too tired of being poor to accept the masters program offer. d'oh!
> > >> Sounds like some other certifications would be helpful. Personally, I don't think I have the time. :(
> > >
> > >   It is a telling sign that a B.S. no longer gets you anywhere...
> > >
> > >> So Healthcare is growing, but how does that affect IT?
> > >
> > >   Well, where the money goes, IT goes... but that is not necessarily
> > > going to change things for IT people.  I would think that some
> > > background in healthcare would be marketable, but health agencies
> > > manage things in the same way as any other type of organization and IT
> > > people typically arent directly involved in the administration.  One
> > > thing I have found is that managers will sometimes view domain
> > > specific knowledge negatively, because it is threatening to their
> > > position.  Typically managers want highly technical people who are
> > > just simply going to fulfill technical requests and don't have the
> > > possibility of getting involved with the actual administration of the
> > > particular business.
> > >
> > >> I think it will become a bubble, and a big one...
> > >> The large, aging sectors of our society will create an increased demand for health services. (Also, seems
> > >> like so many people of various ages have 2-3 prescriptions for misc things.)
> > >
> > >   so they say, but the problem is that the younger working people are
> > > going to pay for it.  Health 'insurance' is not really insurance in
> > > the classical sense, its a financial scheme that promotes the sale of
> > > certain types of services, and allows for creative payment structures.
> > >  Im not really sure why we have any more of an 'aging population' than
> > > we have ever had( did the older generation have less kids? ).  It
> > > always seems like healthcare hooplah to me.  Its not hard to figure
> > > out why the Healthcare industry wants to promote this future of
> > > millions of old people hooked up to expensive devices and taking
> > > costly medications.  These are the types of issues that prohibit
> > > national health care plans...  jmz
> > >
> > >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change  you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
>
> --
>
> ( 602 ) 490 8006
> jjzeidner at gmail.com
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


-- 
powerofprimes at gmail.com
Carlos Macedo Gomes
_sic itur ad astra_